piątek, 27 września 2013

[EN] Alcatel OneTouch Website - XSS & SQL Injection

SO - first thing is, that both bugs are really obvious...I can't belive they exist so long in official Alcatel One Touch website.

How to reproduce bug:
1) Go to http://alcatelonetouch.com website
2) Search for bad'syntax or f<script>alert(1);</script>
3) Get alert or PHP Error (in case you're trying to exploit XSS or SQLi).

XSS:

SQLi:

I think this case is so basic, that it don't need to be explained.

Ok - now the funny part - timeline.

05/02/2013 - discovered the bug
06/02/2013 - contact using e-mail provided in WHOIS database
13/02/2013 - no response, contacted USSupport@tcl.com
11/03/2013 - mailed to Polish Alcatel-Lucent department with request of some contact info for my case
11/03/2013 - response from Alcatel-Lucent - forward me to TCL Communication
12/03/2013 - mail sent using official TCL contact form
13/03/2013 - after googlin' - found some employee working for TCL and contact info - sent mail.
29/04/2013 - no response - tried to contact using info.america@tcl.com
12/06/2013 - still no response, tried to contact with some sales managers, found on Alcatel website
28/06/2013 - Twitted @ALCATELONETOUCH about vuln and requested for contact informations
02/07/2013 - no response - another tweet.
04/07/2013 - stil no response - another tweet
08/07/2013 - ...and another ;)
09/07/2013 - everybody please, sit down - I've got first Alcatel response. It tells that I should contact using their Official Facebook.
09/07/2013 - Contacted using facebook.
10/07/2013 - Response that confirms, that informations about fact, that I found some issue in their website was sent to their "team".
10/07/2013 - Problem was, that I didn't provided any details about vulnerability, even what kind of issue it is ;) I asked if they need any details.
11/07/2013 - I sent really detailed advisory about vulnerability I found.
16/07/2013 - got response with confirmation of sharing my details with their tech team.
24/07/2013 - tried to get some other info - no response
07/08/2013 - ping -> no response.
27/09/2013 - not fixed -> Public Disclosure

Feel free to comment. :)

-- UPDATE --At 12/11/2013 one of TCL IT Managers responsible for AlcatelOneTouch.com website contacted with me. We cooperated to fix this issues and from now on it's ok. :)